Skip to main content

Snyk Security using Language Server Protocol

著者:
Bastian Doetsch

Bastian Doetsch

wordpress-sync/feature-dev-challenge

2022年9月6日

0 分で読めます

Snyk provides plugins or extensions for Visual Studio Code, Jetbrains IDEs like IntelliJ, WebStorm, PHPStorm, GoLand, and Visual Studio. But have you ever wanted to integrate Snyk in your daily work when your favorite editor or IDE is Vim, Emacs, Sublime, or Eclipse? This is going to be possible soon, as we’ve published our Eclipse plugin, including the new Snyk Language Server Protocol.

Multitude of editors and IDEs

Currently, Snyk offers plugins for Visual Studio Code, Visual Studio, Eclipse, and the IntelliJ platform. These integrations are rich, yet different in the functionality they offer because they are all individually developed and maintained.

The four IDEs we already support cover the majority of developers using Snyk, but some would like to have even more choice on their IDE or editor and develop using a different environment, while still getting rich integrations for all Snyk products during their engineering tasks. Until now, we could not offer a built-in solution and had to point to the CLI, but this is changing with the Language Server.

Enter Language Server Protocol

Language Server Protocol (LSP) was created by Microsoft and open sourced in 2016. It is used heavily by VSCode and defines standards on communicating with an IDE to highlight, annotate, and provide fixes and coding help — including support for reporting issues. It has enabled a rich programming experience in almost any environment, as feature-rich language servers are provided for virtually every programming language.

At Snyk, we discussed how we could possibly leverage this protocol to provide Snyk analysis across IDEs, and came to the conclusion that LSP could cover our need to surface issues and vulnerabilities. Instead of having to develop integrations individually per IDE, we can leverage existing LSP support in a multitude of different development environments. Many of them come with this functionality out of the box — as Eclipse, VSCode, Visual Studio, Sublime, Vim, Atom, and many more editors support this protocol. Even the new Jetbrains Fleet product is supporting LSP.

Furthermore, LSP is extended when new capabilities are needed, and more and more IDEs are supporting LSP.

The Snyk Language Server

wordpress-sync/blog-lsp-snyk-lang-server

When we started work on encapsulating Snyk Products behind the Language Server Protocol, we decided to start with Eclipse as the first IDE. to use as its Snyk backend protocol. This was because the Snyk Eclipse plugin was not as feature-rich as other platforms, and there was a Language Server plugin readily available for the Eclipse platform. The LSP integration LSP4e already offers integration with Eclipse, which only had to be extended and configured for our purposes.

Our Snyk Language Server is implemented in Go, so we can have self-sufficient binaries for a multitude of platforms. We have just made it generally available for our Eclipse plugin, and are working on adding it to the other IDE plugins we support, so we can bring faster improvements to all development environments.

The new Eclipse Plugin 2.0

wordpress-sync/blog-lsp-new-eclipse-plugin-1

While we have tested the Language Server internally without any custom integration for NeoVim, Sublime, and other Editors, the Snyk Eclipse plugin is the first integration Snyk officially supports to feature and expose the functionality.

The new Eclipse plugin not only covers Snyk Open Source, but also Snyk IaC (infrastructure as code), and Snyk Code findings along with extended configuration options. Previously, only Snyk Open Source was supported.

Authentication and Download

Authentication and download of necessary binaries is now triggered on demand, and scanning progress and user notifications are shown. If the automatic management of binaries is not desired, it can be deactivated and custom paths can be selected and used to stay in full control.

wordpress-sync/blog-lsp-eclipse-snyk-preferences

Moreover, the integration is much richer than before. The Snyk Eclipse Plugin now provides highlighting for issues in the code editor, marks files with issues in the Project and Package Explorer, and elements in the Outline view. Additionally, Snyk issues are added to, and can be filtered in, the Eclipse Problems view.

Scans are triggered automatically on plugin start-up, and when opening and saving documents, but can also be triggered manually, using the project’s context menu.

Annotations and Highlighting

If Snyk finds an issue, the corresponding line is highlighted in the editor by underlining the line, as well as marking it on the left hand side next to the line numbers.

wordpress-sync/blog-lsp-dependencies-adm-zip

Problem view

A collection of all issues is shown in the Eclipse problem view.

wordpress-sync/blog-lsp-arbitrary-code-execution

Project Explorer

Files with issues are also highlighted in the Project Explorer and Package Explorer views:

wordpress-sync/blog-lsp-routes-index

Hovers

When hovering over an issue, in this case a Snyk Code issue, additional information to fix and understand the issue is displayed.

wordpress-sync/blog-lsp-medium-severity-vuln

Code Lenses

Code Lenses are an in-editor means to interact with the code and issue commands to the language server. They are displayed on top of a code-line that has a code lens attached to it. In our case, we display the Snyk Code Data flow using Code Lenses to allow navigating to the different Data Flow locations with a single click.

wordpress-sync/blog-lsp-function-cmd

Code Actions

For Snyk Open Source and Snyk IaC, the plugin allows users to open detailed issue descriptions of highlighted issues in a browser window:

wordpress-sync/blog-lsp-directory-traversal

From now on, Eclipse will automatically support all Snyk products provided by the Snyk Language Server.

Make Snyk work for you, right at your fingertips

With LSP, Snyk support is embedded in a whole slew of new IDEs and editors. With Eclipse, we added a major additional tool, but virtually all important developer workbenches support LSP. Try Snyk for free in your loved environment today by clicking here and installing the plugin that is right for you. Stay secure.

wordpress-sync/feature-dev-challenge

アプリケーションセキュリティギャップ分析の実施方法

アセットの可視性、アプリケーションセキュリティのカバレッジ、および優先順位付けのためのアプリケーションセキュリティギャップ分析を実行する手順を詳しく説明します。